package com.floragunn.searchguard;

import com.floragunn.searchguard.AbstractUnitTest;
import com.floragunn.searchguard.action.configupdate.ConfigUpdateAction;
import com.floragunn.searchguard.action.configupdate.ConfigUpdateRequest;
import com.floragunn.searchguard.action.configupdate.ConfigUpdateResponse;
import com.floragunn.searchguard.ssl.SearchGuardSSLPlugin;
import com.floragunn.searchguard.support.ReflectionHelper;
import io.netty.handler.ssl.OpenSsl;
import java.net.InetSocketAddress;
import org.apache.http.Header;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesResponse;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.cluster.health.ClusterHealthStatus;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.node.Node;
import org.elasticsearch.node.PluginAwareNode;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:com/floragunn/searchguard/SGTests.class */
public class SGTests extends AbstractUnitTest {

    @Rule
    public final ExpectedException thrown = ExpectedException.none();
    protected boolean allowOpenSSL = Boolean.parseBoolean(System.getenv("SG_ALLOW_OPENSSL"));

    @Test
    public void testEnsureOpenSSLAvailability() {
        if (this.allowOpenSSL) {
            Assert.assertTrue(String.valueOf(OpenSsl.unavailabilityCause()), OpenSsl.isAvailable());
        }
    }

    @Test
    public void testDiscoveryWithoutInitialization() throws Exception {
        startES(Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build());
        Assert.assertEquals(3L, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getNumberOfNodes());
        Assert.assertEquals(ClusterHealthStatus.GREEN, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getStatus());
    }

    @Test
    public void testNodeClientDisallowedWithNonServerCertificate() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build();
        startES(build);
        Assert.assertEquals(3L, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getNumberOfNodes());
        Assert.assertEquals(ClusterHealthStatus.GREEN, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getStatus());
        Settings build2 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put("node.client", true).put("path.home", ".").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").build();
        this.log.debug("Start node client", new Object[0]);
        Node start = new PluginAwareNode(build2, new Class[]{SearchGuardSSLPlugin.class}).start();
        Throwable th = null;
        try {
            try {
                Assert.assertEquals(1L, ((NodesInfoResponse) start.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                Assert.assertEquals(3L, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getNumberOfNodes());
                if (start != null) {
                    if (0 == 0) {
                        start.close();
                        return;
                    }
                    try {
                        start.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (start != null) {
                if (th != null) {
                    try {
                        start.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    start.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testNodeClientDisallowedWithNonServerCertificateFull() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build();
        startES(build);
        Assert.assertEquals(3L, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getNumberOfNodes());
        Assert.assertEquals(ClusterHealthStatus.GREEN, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getStatus());
        Settings build2 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put("path.home", ".").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").build();
        this.log.debug("Start node client", new Object[0]);
        Node start = new PluginAwareNode(build2, new Class[]{SearchGuardSSLPlugin.class, SearchGuardPlugin.class}).start();
        Throwable th = null;
        try {
            try {
                Assert.assertEquals(1L, ((NodesInfoResponse) start.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                Assert.assertEquals(3L, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getNumberOfNodes());
                if (start != null) {
                    if (0 == 0) {
                        start.close();
                        return;
                    }
                    try {
                        start.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (start != null) {
                if (th != null) {
                    try {
                        start.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    start.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testNodeClientAllowedWithServerCertificate() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build();
        startES(build);
        Assert.assertEquals(3L, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getNumberOfNodes());
        Assert.assertEquals(ClusterHealthStatus.GREEN, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getStatus());
        Settings build2 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put("node.client", true).put("path.home", ".").put(build).build();
        this.log.debug("Start node client", new Object[0]);
        Node start = new PluginAwareNode(build2, new Class[]{SearchGuardSSLPlugin.class}).start();
        Throwable th = null;
        try {
            try {
                Assert.assertEquals(4L, ((NodesInfoResponse) start.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                Assert.assertEquals(4L, ((ClusterHealthResponse) client().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet()).getNumberOfNodes());
                if (start != null) {
                    if (0 == 0) {
                        start.close();
                        return;
                    }
                    try {
                        start.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (start != null) {
                if (th != null) {
                    try {
                        start.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    start.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void ensureInitViaRestDoesWork() throws Exception {
        startES(Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.enabled", true).put(new Object[]{"searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf"}).build());
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        Assert.assertEquals(503L, executePutRequest("searchguard/config/0", "{}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("___", ""))).getStatusCode());
        this.keystore = "kirk-keystore.jks";
        Assert.assertEquals(201L, executePutRequest("searchguard/config/0", "{}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("___", ""))).getStatusCode());
    }

    @Test
    public void testHTTPClientCert() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.enabled", true).put(new Object[]{"searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf"}).build();
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            this.log.debug("Start transport client to init", new Object[0]);
            build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
            Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
            build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
            build2.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config_clientcert.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
            System.out.println("------- End INIT ---------");
            build2.index(new IndexRequest("vulcangov").type("kolinahr").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("vulcangov").type("secrets").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("vulcangov").type("planet").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("starfleet").type("captains").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("starfleet").type("public").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("starfleet_academy").type("students").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("starfleet_academy").type("alumni").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("starfleet_library").type("public").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("starfleet_library").type("administration").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("klingonempire").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("klingonempire").type("praxis").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("public").type("legends").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":1}")).actionGet();
            build2.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":2}")).actionGet();
            build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("sf", new String[]{"starfleet", "starfleet_academy", "starfleet_library"})).actionGet();
            build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("nonsf", new String[]{"klingonempire", "vulcangov"})).actionGet();
            build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("unrestricted", new String[]{"public"})).actionGet();
            Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
            if (build2 != null) {
                if (0 != 0) {
                    try {
                        build2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    build2.close();
                }
            }
            this.enableHTTPClientSSL = true;
            this.trustHTTPServerCertificate = true;
            this.sendHTTPClientCertificate = true;
            this.keystore = "spock-keystore.jks";
            Assert.assertEquals(200L, executeGetRequest("_search", new Header[0]).getStatusCode());
            Assert.assertEquals(403L, executePutRequest("searchguard/config/0", "{}", new Header[0]).getStatusCode());
            this.keystore = "kirk-keystore.jks";
            Assert.assertEquals(200L, executePutRequest("searchguard/config/0", "{}", new Header[0]).getStatusCode());
            AbstractUnitTest.HttpResponse executeGetRequest = executeGetRequest("_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(200L, executeGetRequest.getStatusCode());
            System.out.println(executeGetRequest.getBody());
        } catch (Throwable th3) {
            if (build2 != null) {
                if (0 != 0) {
                    try {
                        build2.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build2.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testHTTPBasic() throws Exception {
        Throwable th;
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf"}).build();
        startES(build);
        Settings build2 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build();
        TransportClient build3 = TransportClient.builder().settings(build2).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th2 = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build3.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build3.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build3.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build3.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                System.out.println("------- End INIT ---------");
                build3.index(new IndexRequest("vulcangov").type("kolinahr").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("vulcangov").type("secrets").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("vulcangov").type("planet").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet").type("captains").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet_academy").type("students").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet_academy").type("alumni").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet_library").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet_library").type("administration").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("klingonempire").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("klingonempire").type("praxis").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("public").type("legends").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":2}")).actionGet();
                build3.index(new IndexRequest("spock").type("type01").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("kirk").type("type01").refresh(true).source("{\"content\":1}")).actionGet();
                build3.admin().indices().aliases(new IndicesAliasesRequest().addAlias("sf", new String[]{"starfleet", "starfleet_academy", "starfleet_library"})).actionGet();
                build3.admin().indices().aliases(new IndicesAliasesRequest().addAlias("nonsf", new String[]{"klingonempire", "vulcangov"})).actionGet();
                build3.admin().indices().aliases(new IndicesAliasesRequest().addAlias("unrestricted", new String[]{"public"})).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build3.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build3 != null) {
                    if (0 != 0) {
                        try {
                            build3.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        build3.close();
                    }
                }
                Assert.assertEquals(401L, executeGetRequest("", new Header[0]).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                Assert.assertEquals(404L, executeGetRequest("searchguard/config/0", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                Assert.assertEquals(404L, executeGetRequest("xxxxyyyy/config/0", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("abc", "abc:abc"))).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("userwithnopassword", ""))).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("userwithblankpassword", ""))).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "wrongpasswd"))).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic wrongheader")).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic ")).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic")).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "")).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("picard", "picard"))).getStatusCode());
                for (int i = 0; i < 10; i++) {
                    Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "wrongpasswd"))).getStatusCode());
                }
                Assert.assertEquals(200L, executePutRequest("/theindex", "{}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("theindexadmin", "theindexadmin"))).getStatusCode());
                Assert.assertEquals(201L, executePutRequest("/theindex/type/1?refresh=true", "{\"a\":0}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("theindexadmin", "theindexadmin"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("/theindex/_analyze?text=this+is+a+test", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("theindexadmin", "theindexadmin"))).getStatusCode());
                Assert.assertEquals(403L, executeGetRequest("_analyze?text=this+is+a+test", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("theindexadmin", "theindexadmin"))).getStatusCode());
                Assert.assertEquals(200L, executeDeleteRequest("/theindex", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("theindexadmin", "theindexadmin"))).getStatusCode());
                Assert.assertEquals(403L, executeDeleteRequest("/klingonempire", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("theindexadmin", "theindexadmin"))).getStatusCode());
                Assert.assertEquals(403L, executeGetRequest("starfleet/_search", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executeGetRequest("_search", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("starfleet/ships/_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executeDeleteRequest("searchguard/", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executePostRequest("/searchguard/_close", null, new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executePostRequest("/searchguard/_upgrade", null, new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executePutRequest("/searchguard/_mapping/config", "{}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executeGetRequest("searchguard/", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executePutRequest("searchguard/config/2", "{}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executeGetRequest("searchguard/config/0", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executeDeleteRequest("searchguard/config/0", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executePutRequest("searchguard/config/0", "{}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertTrue(executeGetRequest("_cat/indices/public", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("bug108", "nagilum"))).getBody().contains("green"));
                Assert.assertEquals(200L, r0.getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("spock/type01/_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("spock", "spock"))).getStatusCode());
                Assert.assertEquals(403L, executeGetRequest("spock/type01/_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("kirk", "kirk"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("kirk/type01/_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("kirk", "kirk"))).getStatusCode());
                Assert.assertEquals(403L, executePutRequest("_mapping/config", "{\"i\" : [\"4\"]}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(403L, executePostRequest("searchguard/_mget", "{\"ids\" : [\"0\"]}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("starfleet/ships/_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                TransportClient build4 = TransportClient.builder().settings(build2).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
                Throwable th4 = null;
                try {
                    try {
                        this.log.debug("Start transport client to init 2", new Object[0]);
                        build4.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                        build4.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles_deny.yml"))).actionGet();
                        Assert.assertEquals(3L, ((ConfigUpdateResponse) build4.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                        if (build4 != null) {
                            if (0 != 0) {
                                try {
                                    build4.close();
                                } catch (Throwable th5) {
                                    th4.addSuppressed(th5);
                                }
                            } else {
                                build4.close();
                            }
                        }
                        Assert.assertEquals(403L, executeGetRequest("starfleet/ships/_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                        build3 = TransportClient.builder().settings(build2).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
                        th = null;
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
            try {
                try {
                    this.log.debug("Start transport client to init 3", new Object[0]);
                    build3.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                    build3.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                    Assert.assertEquals(3L, ((ConfigUpdateResponse) build3.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                    if (build3 != null) {
                        if (0 != 0) {
                            try {
                                build3.close();
                            } catch (Throwable th6) {
                                th.addSuppressed(th6);
                            }
                        } else {
                            build3.close();
                        }
                    }
                    Assert.assertEquals(200L, executeGetRequest("starfleet/ships/_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
                    AbstractUnitTest.HttpResponse executeGetRequest = executeGetRequest("_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum")));
                    Assert.assertEquals(200L, executeGetRequest.getStatusCode());
                    Assert.assertTrue(executeGetRequest.getBody().contains("\"total\" : 17"));
                    Assert.assertTrue(!executeGetRequest.getBody().contains("searchguard"));
                    AbstractUnitTest.HttpResponse executeGetRequest2 = executeGetRequest("_nodes/stats?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum")));
                    Assert.assertEquals(200L, executeGetRequest2.getStatusCode());
                    Assert.assertTrue(executeGetRequest2.getBody().contains("total_in_bytes"));
                    Assert.assertTrue(executeGetRequest2.getBody().contains("max_file_descriptors"));
                    Assert.assertTrue(executeGetRequest2.getBody().contains("buffer_pools"));
                    Assert.assertFalse(executeGetRequest2.getBody().contains("\"nodes\" : { }"));
                    AbstractUnitTest.HttpResponse executePostRequest = executePostRequest("*/_upgrade", "", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum")));
                    System.out.println(executePostRequest.getBody());
                    System.out.println(executePostRequest.getStatusReason());
                    Assert.assertEquals(200L, executePostRequest.getStatusCode());
                    AbstractUnitTest.HttpResponse executePostRequest2 = executePostRequest("_bulk", "{ \"index\" : { \"_index\" : \"test\", \"_type\" : \"type1\", \"_id\" : \"1\" } }" + System.lineSeparator() + "{ \"field1\" : \"value1\" }" + System.lineSeparator() + "{ \"index\" : { \"_index\" : \"test\", \"_type\" : \"type1\", \"_id\" : \"2\" } }" + System.lineSeparator() + "{ \"field2\" : \"value2\" }" + System.lineSeparator(), new BasicHeader("Authorization", "Basic " + encodeBasicHeader("writer", "writer")));
                    Assert.assertEquals(200L, executePostRequest2.getStatusCode());
                    Assert.assertTrue(executePostRequest2.getBody().contains("\"errors\":false"));
                    Assert.assertTrue(executePostRequest2.getBody().contains("\"status\":201"));
                } finally {
                }
            } finally {
                if (build3 != null) {
                    if (th != null) {
                        try {
                            build3.close();
                        } catch (Throwable th7) {
                            th.addSuppressed(th7);
                        }
                    } else {
                        build3.close();
                    }
                }
            }
        } finally {
        }
    }

    @Test
    public void testConfigHotReload() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf"}).build();
        startES(build);
        Settings build2 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build();
        TransportClient build3 = TransportClient.builder().settings(build2).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build3.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build3.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build3.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build3.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build3.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build3 != null) {
                    if (0 != 0) {
                        try {
                            build3.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build3.close();
                    }
                }
                BasicHeader basicHeader = new BasicHeader("Authorization", "Basic " + encodeBasicHeader("spock", "spock"));
                for (InetSocketTransportAddress inetSocketTransportAddress : this.httpAdresses) {
                    AbstractUnitTest.HttpResponse executeRequest = executeRequest(new HttpGet("http://" + inetSocketTransportAddress.getHost() + ":" + inetSocketTransportAddress.getPort() + "/_searchguard/authinfo?pretty=true"), basicHeader);
                    Assert.assertTrue(executeRequest.getBody().contains("spock"));
                    Assert.assertFalse(executeRequest.getBody().contains("additionalrole"));
                    Assert.assertTrue(executeRequest.getBody().contains("vulcan"));
                }
                build3 = TransportClient.builder().settings(build2).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
                Throwable th3 = null;
                try {
                    try {
                        this.log.debug("Start transport client to init", new Object[0]);
                        build3.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                        Assert.assertEquals(3L, ((NodesInfoResponse) build3.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                        build3.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users_spock_add_roles.yml"))).actionGet();
                        Assert.assertEquals(3L, ((ConfigUpdateResponse) build3.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                        if (build3 != null) {
                            if (0 != 0) {
                                try {
                                    build3.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                build3.close();
                            }
                        }
                        for (InetSocketTransportAddress inetSocketTransportAddress2 : this.httpAdresses) {
                            this.log.debug("http://" + inetSocketTransportAddress2.getHost() + ":" + inetSocketTransportAddress2.getPort(), new Object[0]);
                            AbstractUnitTest.HttpResponse executeRequest2 = executeRequest(new HttpGet("http://" + inetSocketTransportAddress2.getHost() + ":" + inetSocketTransportAddress2.getPort() + "/_searchguard/authinfo?pretty=true"), basicHeader);
                            Assert.assertTrue(executeRequest2.getBody().contains("spock"));
                            Assert.assertTrue(executeRequest2.getBody().contains("additionalrole1"));
                            Assert.assertTrue(executeRequest2.getBody().contains("additionalrole2"));
                            Assert.assertFalse(executeRequest2.getBody().contains("starfleet"));
                        }
                        TransportClient build4 = TransportClient.builder().settings(build2).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
                        Throwable th5 = null;
                        try {
                            try {
                                this.log.debug("Start transport client to init", new Object[0]);
                                build4.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                                Assert.assertEquals(3L, ((NodesInfoResponse) build4.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                                build4.index(new IndexRequest("searchguard").type("config").refresh(true).id("0").source(readYamlContent("sg_config_host.yml"))).actionGet();
                                Assert.assertEquals(3L, ((ConfigUpdateResponse) build4.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                                if (build4 != null) {
                                    if (0 != 0) {
                                        try {
                                            build4.close();
                                        } catch (Throwable th6) {
                                            th5.addSuppressed(th6);
                                        }
                                    } else {
                                        build4.close();
                                    }
                                }
                                for (InetSocketTransportAddress inetSocketTransportAddress3 : this.httpAdresses) {
                                    AbstractUnitTest.HttpResponse executeRequest3 = executeRequest(new HttpGet("http://" + inetSocketTransportAddress3.getHost() + ":" + inetSocketTransportAddress3.getPort() + "/_searchguard/authinfo?pretty=true"), new Header[0]);
                                    this.log.debug(executeRequest3.getBody(), new Object[0]);
                                    Assert.assertTrue(executeRequest3.getBody().contains("sg_role_host1"));
                                    Assert.assertTrue(executeRequest3.getBody().contains("sg_role_host2"));
                                    Assert.assertTrue(executeRequest3.getBody().contains("sg_host_127.0.0.1"));
                                    Assert.assertTrue(executeRequest3.getBody().contains("roles=[]"));
                                    Assert.assertEquals(200L, executeRequest3.getStatusCode());
                                }
                            } finally {
                            }
                        } finally {
                            if (build4 != null) {
                                if (th5 != null) {
                                    try {
                                        build4.close();
                                    } catch (Throwable th7) {
                                        th5.addSuppressed(th7);
                                    }
                                } else {
                                    build4.close();
                                }
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testCreateIndex() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).put("index.number_of_shards", 3).put("index.number_of_replicas", 0).build();
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals("Expected 3 nodes", 3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build2.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                System.out.println("------- End INIT ---------");
                build2.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("captains").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_academy").type("students").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_academy").type("alumni").refresh(true).source("{\"content\":1}")).actionGet();
                Assert.assertTrue("Alias creation not acknowledged", ((IndicesAliasesResponse) build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("sf", new String[]{"starfleet", "starfleet_academy"})).actionGet()).isAcknowledged());
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build2 != null) {
                    if (0 != 0) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build2.close();
                    }
                }
                Assert.assertEquals("Unable to create index 'nag'", 200L, executePutRequest("nag1", null, new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                Assert.assertEquals("Unable to create index 'starfleet_library'", 200L, executePutRequest("starfleet_library", null, new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                Thread.sleep(2000L);
                waitForGreenClusterState(this.esNode1.client());
                Assert.assertEquals("Unable to close index 'starfleet_library'", 200L, executePostRequest("starfleet_library/_close", null, new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                AbstractUnitTest.HttpResponse executePostRequest = executePostRequest("starfleet_library/_open", null, new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum")));
                Assert.assertEquals("Unable to open index 'starfleet_library'", 200L, executePostRequest.getStatusCode());
                Assert.assertEquals("open index 'starfleet_library' not acknowledged", "{\"acknowledged\":true}", executePostRequest.getBody());
                waitForGreenClusterState(this.esNode1.client());
            } finally {
            }
        } catch (Throwable th3) {
            if (build2 != null) {
                if (th != null) {
                    try {
                        build2.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build2.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testHTTPProxy() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf"}).build();
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build2.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config_proxy.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config_proxy.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                System.out.println("------- End INIT ---------");
                build2.index(new IndexRequest("vulcangov").type("kolinahr").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("vulcangov").type("secrets").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("vulcangov").type("planet").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("captains").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_academy").type("students").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_academy").type("alumni").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_library").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_library").type("administration").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("klingonempire").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("klingonempire").type("praxis").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("legends").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":2}")).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("sf", new String[]{"starfleet", "starfleet_academy", "starfleet_library"})).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("nonsf", new String[]{"klingonempire", "vulcangov"})).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("unrestricted", new String[]{"public"})).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build2 != null) {
                    if (0 != 0) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build2.close();
                    }
                }
                Assert.assertEquals(401L, executeGetRequest("", new Header[0]).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum-wrong", "nagilum-wrong"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user-wrong", "scotty"), new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                Assert.assertEquals(500L, executeGetRequest("", new BasicHeader("x-forwarded-for", "a"), new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum-wrong", "nagilum-wrong"))).getStatusCode());
                Assert.assertEquals(500L, executeGetRequest("", new BasicHeader("x-forwarded-for", "a,b,c"), new BasicHeader("x-proxy-user", "scotty")).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user", "scotty")).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), new BasicHeader("X-Proxy-User", "scotty")).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer")).getStatusCode());
            } finally {
            }
        } catch (Throwable th3) {
            if (build2 != null) {
                if (th != null) {
                    try {
                        build2.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build2.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testTransportClient() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf", "nagilum"}).build();
        System.out.println(build.getAsMap());
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            this.log.debug("Start transport client to init", new Object[0]);
            build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
            Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
            build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
            build2.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
            System.out.println("------- Begin INIT ---------");
            build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
            build2.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
            Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
            if (build2 != null) {
                if (0 != 0) {
                    try {
                        build2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    build2.close();
                }
            }
            System.out.println("------- INIT complete ---------");
            Settings build3 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("spock-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "spock").put("path.home", ".").build();
            System.out.println("------- 0 ---------");
            TransportClient build4 = TransportClient.builder().settings(build3).addPlugin(SearchGuardSSLPlugin.class).build();
            Throwable th3 = null;
            try {
                this.log.debug("Start transport client to use", new Object[0]);
                build4.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build4.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                System.out.println("------- 1 ---------");
                Assert.assertTrue(((CreateIndexResponse) build4.admin().indices().create(new CreateIndexRequest("vulcan")).actionGet()).isAcknowledged());
                System.out.println("------- 2 ---------");
                Assert.assertTrue(((IndexResponse) build4.index(new IndexRequest("vulcan").type("secrets").id("s1").refresh(true).source("{\"secret\":true}")).actionGet()).isCreated());
                System.out.println("------- 3 ---------");
                Assert.assertTrue(build4.prepareGet("vulcan", "secrets", "s1").setRealtime(true).get().isExists());
                System.out.println("------- 4 ---------");
                Assert.assertTrue(build4.prepareGet("vulcan", "secrets", "s1").setRealtime(false).get().isExists());
                System.out.println("------- 5 ---------");
                Assert.assertEquals(1L, ((SearchResponse) build4.search(new SearchRequest(new String[]{"vulcan"}).types(new String[]{"secrets"})).actionGet()).getHits().getHits().length);
                System.out.println("------- 6 ---------");
                Assert.assertFalse(build4.prepareGet("searchguard", "config", "0").setRealtime(false).get().isExists());
                System.out.println("------- 7 ---------");
                Assert.assertFalse(build4.prepareGet("searchguard", "config", "0").setRealtime(true).get().isExists());
                System.out.println("------- 8 ---------");
                Assert.assertEquals(0L, ((SearchResponse) build4.search(new SearchRequest(new String[]{"searchguard"})).actionGet()).getHits().getHits().length);
                System.out.println("------- 9 ---------");
                try {
                    build4.index(new IndexRequest("searchguard").type("config").id("0").source(readYamlContent("sg_config.yml"))).actionGet();
                    Assert.fail();
                } catch (Exception e) {
                    System.out.println(e.getMessage());
                }
                System.out.println("------- 10 ---------");
                try {
                    build4.prepareGet("vulcan", "secrets", "s1").putHeader("sg_impersonate_as", "worf").get();
                    Assert.fail();
                } catch (ElasticsearchSecurityException e2) {
                    Assert.assertEquals("no permissions for indices:data/read/get", e2.getMessage());
                }
                System.out.println("------- 11 ---------");
                try {
                    build4.prepareGet("vulcan", "secrets", "s1").putHeader("Authorization", "basic " + encodeBasicHeader("worf", "worf")).get();
                    Assert.fail();
                } catch (ElasticsearchSecurityException e3) {
                    Assert.assertEquals("no permissions for indices:data/read/get", e3.getMessage());
                }
                System.out.println("------- 12 ---------");
                try {
                    build4.prepareGet("vulcan", "secrets", "s1").putHeader("Authorization", "basic " + encodeBasicHeader("worf", "worf111")).get();
                    Assert.fail();
                } catch (ElasticsearchSecurityException e4) {
                    Assert.assertTrue(e4.getCause().getMessage().contains("password does not match"));
                }
                System.out.println("------- 13 ---------");
                try {
                    build4.prepareGet("vulcan", "secrets", "s1").putHeader("sg_impersonate_as", "gkar").get();
                    Assert.fail();
                } catch (ElasticsearchSecurityException e5) {
                    Assert.assertEquals("'CN=spock,OU=client,O=client,L=Test,C=DE' is not allowed to impersonate as 'gkar'", e5.getMessage());
                }
                System.out.println("------- 14 ---------");
                boolean z = false;
                try {
                    build4.prepareGet("vulcan", "secrets", "s1").putHeader("sg_impersonate_as", "nagilum").get();
                    z = true;
                    build4.prepareGet("vulcan", "secrets", "s1").putHeader("sg_impersonate_as", "nagilum").putHeader("Authorization", "basic " + encodeBasicHeader("worf", "worf")).get();
                    Assert.fail();
                } catch (ElasticsearchSecurityException e6) {
                    Assert.assertEquals("no permissions for indices:data/read/get", e6.getMessage());
                    Assert.assertTrue(z);
                }
                System.out.println("------- 15 ---------");
                GetResponse getResponse = build4.prepareGet("searchguard", "config", "0").putHeader("sg_impersonate_as", "nagilum").setRealtime(Boolean.TRUE).get();
                Assert.assertFalse(getResponse.isExists());
                Assert.assertTrue(getResponse.isSourceEmpty());
                GetResponse getResponse2 = build4.prepareGet("searchguard", "config", "0").putHeader("Authorization", "basic " + encodeBasicHeader("nagilum", "nagilum")).setRealtime(Boolean.TRUE).get();
                Assert.assertFalse(getResponse2.isExists());
                Assert.assertTrue(getResponse2.isSourceEmpty());
                System.out.println("------- 16---------");
                GetResponse getResponse3 = build4.prepareGet("searchguard", "config", "0").putHeader("sg_impersonate_as", "nagilum").setRealtime(Boolean.FALSE).get();
                Assert.assertFalse(getResponse3.isExists());
                Assert.assertTrue(getResponse3.isSourceEmpty());
                build4.prepareSearchScroll(build4.prepareSearch(new String[]{"starfleet"}).setTypes(new String[]{"ships"}).setScroll(TimeValue.timeValueMinutes(5L)).putHeader("sg_impersonate_as", "nagilum").get().getScrollId()).putHeader("sg_impersonate_as", "worf").get();
                System.out.println("------- TRC end ---------");
                if (build4 != null) {
                    if (0 != 0) {
                        try {
                            build4.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    } else {
                        build4.close();
                    }
                }
                System.out.println("------- CTC end ---------");
            } catch (Throwable th5) {
                if (build4 != null) {
                    if (0 != 0) {
                        try {
                            build4.close();
                        } catch (Throwable th6) {
                            th3.addSuppressed(th6);
                        }
                    } else {
                        build4.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (build2 != null) {
                if (0 != 0) {
                    try {
                        build2.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    build2.close();
                }
            }
            throw th7;
        }
    }

    public void testHttps() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        startES(Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.enforce_clientauth", true).put(new Object[]{"searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).build());
        System.out.println(executeSimpleRequest("_searchguard/sslinfo?pretty"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
        Assert.assertFalse(executeSimpleRequest("_nodes/settings?pretty").contains("\"searchguard\""));
    }

    @Test
    public void testSpecialUsernames() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf"}).build();
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build2.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                System.out.println("------- End INIT ---------");
                build2.index(new IndexRequest("vulcangov").type("kolinahr").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("vulcangov").type("secrets").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("vulcangov").type("planet").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("captains").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_academy").type("students").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_academy").type("alumni").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_library").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_library").type("administration").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("klingonempire").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("klingonempire").type("praxis").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("legends").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":2}")).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("sf", new String[]{"starfleet", "starfleet_academy", "starfleet_library"})).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("nonsf", new String[]{"klingonempire", "vulcangov"})).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("unrestricted", new String[]{"public"})).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build2 != null) {
                    if (0 != 0) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build2.close();
                    }
                }
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("bug.99", "nagilum"))).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("a", "b"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("\"'+-,;_?*@<>!$%&/()=#", "nagilum"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("§ÄÖÜäöüß", "nagilum"))).getStatusCode());
            } finally {
            }
        } catch (Throwable th3) {
            if (build2 != null) {
                if (th != null) {
                    try {
                        build2.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build2.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testDlsFls() throws Exception {
        Assume.assumeTrue(ReflectionHelper.canLoad("com.floragunn.searchguard.configuration.SearchGuardFlsDlsIndexSearcherWrapper"));
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf"}).build();
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build2.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                System.out.println("------- End INIT ---------");
                build2.index(new IndexRequest("vulcangov").type("kolinahr").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("vulcangov").type("secrets").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("vulcangov").type("planet").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("captains").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_academy").type("students").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_academy").type("alumni").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_library").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("starfleet_library").type("administration").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("klingonempire").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("klingonempire").type("praxis").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("legends").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":2}")).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("sf", new String[]{"starfleet", "starfleet_academy", "starfleet_library"})).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("nonsf", new String[]{"klingonempire", "vulcangov"})).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("unrestricted", new String[]{"public"})).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build2 != null) {
                    if (0 != 0) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build2.close();
                    }
                }
                Assert.assertEquals(401L, executeGetRequest("", new Header[0]).getStatusCode());
                AbstractUnitTest.HttpResponse executeGetRequest = executeGetRequest("/_search?pretty", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("sarek", "sarek")));
                Assert.assertEquals(200L, executeGetRequest.getStatusCode());
                Assert.assertTrue(executeGetRequest.getBody().contains("\"total\" : 1,"));
                Assert.assertTrue(executeGetRequest.getBody().contains("\"_source\" : { }"));
            } finally {
            }
        } catch (Throwable th3) {
            if (build2 != null) {
                if (th != null) {
                    try {
                        build2.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build2.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testHTTPAnon() throws Exception {
        Throwable th;
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf"}).build();
        startES(build);
        Settings build2 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build();
        TransportClient build3 = TransportClient.builder().settings(build2).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th2 = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build3.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build3.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build3.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build3.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config_anon.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build3.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                System.out.println("------- End INIT ---------");
                build3.index(new IndexRequest("vulcangov").type("kolinahr").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("vulcangov").type("secrets").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("vulcangov").type("planet").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet").type("captains").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet_academy").type("students").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet_academy").type("alumni").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet_library").type("public").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("starfleet_library").type("administration").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("klingonempire").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("klingonempire").type("praxis").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("public").type("legends").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":1}")).actionGet();
                build3.index(new IndexRequest("public").type("hall_of_fame").refresh(true).source("{\"content\":2}")).actionGet();
                build3.admin().indices().aliases(new IndicesAliasesRequest().addAlias("sf", new String[]{"starfleet", "starfleet_academy", "starfleet_library"})).actionGet();
                build3.admin().indices().aliases(new IndicesAliasesRequest().addAlias("nonsf", new String[]{"klingonempire", "vulcangov"})).actionGet();
                build3.admin().indices().aliases(new IndicesAliasesRequest().addAlias("unrestricted", new String[]{"public"})).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build3.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build3 != null) {
                    if (0 != 0) {
                        try {
                            build3.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        build3.close();
                    }
                }
                Assert.assertEquals(200L, executeGetRequest("", new Header[0]).getStatusCode());
                Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "wrong"))).getStatusCode());
                Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                AbstractUnitTest.HttpResponse executeGetRequest = executeGetRequest("_searchguard/authinfo", new Header[0]);
                System.out.println(executeGetRequest.getBody());
                Assert.assertTrue(executeGetRequest.getBody().contains("sg_anonymous"));
                Assert.assertEquals(200L, executeGetRequest.getStatusCode());
                AbstractUnitTest.HttpResponse executeGetRequest2 = executeGetRequest("_searchguard/authinfo", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum")));
                System.out.println(executeGetRequest2.getBody());
                Assert.assertTrue(executeGetRequest2.getBody().contains("nagilum"));
                Assert.assertFalse(executeGetRequest2.getBody().contains("sg_anonymous"));
                Assert.assertEquals(200L, executeGetRequest2.getStatusCode());
                build3 = TransportClient.builder().settings(build2).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
                th = null;
            } finally {
            }
            try {
                try {
                    this.log.debug("Start transport client to init", new Object[0]);
                    build3.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                    Assert.assertEquals(3L, ((NodesInfoResponse) build3.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                    build3.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                    build3.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                    Assert.assertEquals(3L, ((ConfigUpdateResponse) build3.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                    if (build3 != null) {
                        if (0 != 0) {
                            try {
                                build3.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            build3.close();
                        }
                    }
                    Assert.assertEquals(401L, executeGetRequest("", new Header[0]).getStatusCode());
                    Assert.assertEquals(401L, executeGetRequest("_searchguard/authinfo", new Header[0]).getStatusCode());
                    Assert.assertEquals(401L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "wrong"))).getStatusCode());
                    Assert.assertEquals(200L, executeGetRequest("", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("nagilum", "nagilum"))).getStatusCode());
                } finally {
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testTransportClientImpersonation() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"worf", "nagilum"}).build();
        System.out.println(build.getAsMap());
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            this.log.debug("Start transport client to init", new Object[0]);
            build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
            Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
            build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
            build2.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
            System.out.println("------- Begin INIT ---------");
            build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
            build2.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
            Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
            if (build2 != null) {
                if (0 != 0) {
                    try {
                        build2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    build2.close();
                }
            }
            System.out.println("------- INIT complete ---------");
            Settings build3 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("spock-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "spock").put("path.home", ".").put("request.headers.sg_impersonate_as", "worf").build();
            System.out.println("------- 0 ---------");
            TransportClient build4 = TransportClient.builder().settings(build3).addPlugin(SearchGuardSSLPlugin.class).build();
            Throwable th3 = null;
            try {
                try {
                    this.log.debug("Start transport client to use", new Object[0]);
                    build4.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                    Assert.assertEquals(3L, ((NodesInfoResponse) build4.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                    System.out.println("------- TRC end ---------");
                    if (build4 != null) {
                        if (0 != 0) {
                            try {
                                build4.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        } else {
                            build4.close();
                        }
                    }
                    System.out.println("------- CTC end ---------");
                } finally {
                }
            } catch (Throwable th5) {
                if (build4 != null) {
                    if (th3 != null) {
                        try {
                            build4.close();
                        } catch (Throwable th6) {
                            th3.addSuppressed(th6);
                        }
                    } else {
                        build4.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (build2 != null) {
                if (0 != 0) {
                    try {
                        build2.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    build2.close();
                }
            }
            throw th7;
        }
    }

    @Test
    public void testTransportClientImpersonationWildcard() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).putArray("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", new String[]{"*"}).build();
        System.out.println(build.getAsMap());
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build2.index(new IndexRequest("searchguard").type("dummy").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                System.out.println("------- Begin INIT ---------");
                build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                build2.index(new IndexRequest("starfleet").type("ships").refresh(true).source("{\"content\":1}")).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build2 != null) {
                    if (0 != 0) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build2.close();
                    }
                }
                System.out.println("------- INIT complete ---------");
                Settings build3 = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("spock-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "spock").put("path.home", ".").put("request.headers.sg_impersonate_as", "worf").build();
                System.out.println("------- 0 ---------");
                build2 = TransportClient.builder().settings(build3).addPlugin(SearchGuardSSLPlugin.class).build();
                Throwable th3 = null;
                try {
                    try {
                        this.log.debug("Start transport client to use", new Object[0]);
                        build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                        Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                        System.out.println("------- TRC end ---------");
                        if (build2 != null) {
                            if (0 != 0) {
                                try {
                                    build2.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                build2.close();
                            }
                        }
                        System.out.println("------- CTC end ---------");
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testFilteredAlias() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).build();
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                System.out.println("------- End INIT ---------");
                build2.index(new IndexRequest("theindex").type("type1").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("theindex").type("type2").refresh(true).source("{\"content\":2}")).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("alias1", QueryBuilders.termQuery("_type", "type1"), new String[]{"theindex"})).actionGet();
                build2.admin().indices().aliases(new IndicesAliasesRequest().addAlias("alias2", QueryBuilders.termQuery("_type", "type2"), new String[]{"theindex"})).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build2 != null) {
                    if (0 != 0) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build2.close();
                    }
                }
                Assert.assertEquals(403L, executeGetRequest("alias*/_search", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("worf", "worf"))).getStatusCode());
            } finally {
            }
        } catch (Throwable th3) {
            if (build2 != null) {
                if (th != null) {
                    try {
                        build2.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build2.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testMultiget() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).build();
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            try {
                this.log.debug("Start transport client to init", new Object[0]);
                build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
                build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
                build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
                build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
                System.out.println("------- End INIT ---------");
                build2.index(new IndexRequest("mindex1").type("type").id("1").refresh(true).source("{\"content\":1}")).actionGet();
                build2.index(new IndexRequest("mindex2").type("type").id("2").refresh(true).source("{\"content\":2}")).actionGet();
                Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
                if (build2 != null) {
                    if (0 != 0) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build2.close();
                    }
                }
                AbstractUnitTest.HttpResponse executePostRequest = executePostRequest("_mget?refresh=true", "{\"docs\" : [{\"_index\" : \"mindex1\",\"_type\" : \"type\",\"_id\" : \"1\" }, {\"_index\" : \"mindex2\", \"_type\" : \"type\", \"_id\" : \"2\"}]}", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("picard", "picard")));
                System.out.println(executePostRequest.getBody());
                Assert.assertEquals(200L, executePostRequest.getStatusCode());
                Assert.assertFalse(executePostRequest.getBody().contains("type2"));
            } finally {
            }
        } catch (Throwable th3) {
            if (build2 != null) {
                if (th != null) {
                    try {
                        build2.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build2.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testSingle() throws Exception {
        Settings build = Settings.settingsBuilder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")}).put(new Object[]{"searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")}).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putArray("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,l=tEst, C=De"}).build();
        startES(build);
        TransportClient build2 = TransportClient.builder().settings(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).put(new Object[]{"searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("kirk-keystore.jks")}).put("searchguard.ssl.transport.keystore_alias", "kirk").put("path.home", ".").build()).addPlugin(SearchGuardSSLPlugin.class).addPlugin(SearchGuardPlugin.class).build();
        Throwable th = null;
        try {
            this.log.debug("Start transport client to init", new Object[0]);
            build2.addTransportAddress(new InetSocketTransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
            Assert.assertEquals(3L, ((NodesInfoResponse) build2.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().length);
            build2.admin().indices().create(new CreateIndexRequest("searchguard")).actionGet();
            build2.index(new IndexRequest("searchguard").type("config").id("0").refresh(true).source(readYamlContent("sg_config.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("internalusers").refresh(true).id("0").source(readYamlContent("sg_internal_users.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("roles").id("0").refresh(true).source(readYamlContent("sg_roles.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("rolesmapping").refresh(true).id("0").source(readYamlContent("sg_roles_mapping.yml"))).actionGet();
            build2.index(new IndexRequest("searchguard").type("actiongroups").refresh(true).id("0").source(readYamlContent("sg_action_groups.yml"))).actionGet();
            System.out.println("------- End INIT ---------");
            build2.index(new IndexRequest("shakespeare").type("type").id("1").refresh(true).source("{\"content\":1}")).actionGet();
            Assert.assertEquals(3L, ((ConfigUpdateResponse) build2.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).getNodes().length);
            if (build2 != null) {
                if (0 != 0) {
                    try {
                        build2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    build2.close();
                }
            }
            AbstractUnitTest.HttpResponse executeGetRequest = executeGetRequest("shakespeare/_search", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("picard", "picard")));
            System.out.println(executeGetRequest.getBody());
            Assert.assertEquals(200L, executeGetRequest.getStatusCode());
            Assert.assertTrue(executeGetRequest.getBody().contains("\"content\":1"));
            Assert.assertEquals(200L, executeHeadRequest("shakespeare", new BasicHeader("Authorization", "Basic " + encodeBasicHeader("picard", "picard"))).getStatusCode());
        } catch (Throwable th3) {
            if (build2 != null) {
                if (0 != 0) {
                    try {
                        build2.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build2.close();
                }
            }
            throw th3;
        }
    }

    static {
        System.setProperty("sg.nowarn.client", "true");
    }
}
